Set Up Single Sign-On

Set up single sign-on (SSO) to test it for your solution.

Set Up the SSO External Client App and Salesforce with Identity Provider (IdP)

  1. From Setup, enter Identity Provider in the Quick Find box, then select Identity Provider and enable it.
  2. To download the certificate and metadata file for using Salesforce as an IdP, under Identity Provider Setup, click Download Metadata.Identity provider setup with download metadata circled
  3. Create an external client app (ECA) to use for authentication.

    We recommend using an external client app for authorization instead of a connected app. Starting in Spring ’26, customers can’t create a connected app unless they request the ability to create connected apps from Salesforce Support. To migrate a preexisting connected app, see Create an External Client App from a Connected App.

    Note

    1. Create an external client app and set Distribution State set to Local.
    2. To enable and configure SAML, configure the external client app's SAML 2.0 settings and policies.
  4. To allow access to the app, update the ECA App policies.
    1. From Setup, enter External Client App Manager in the Quick Find box. Select your external client app.
    2. Click Edit.
    3. On the Policies tab, under App Policies, select profiles for users who need access to SSO login or select permission sets that you’re using for Salesforce Voice.
  5. Save your changes.
  6. To test the IdP SSO login, in the Policies tab under SAML Policies, expand SAML Login Info, and click the IdP-Initiated Login URL.

Perform Headless SSO

If a telephony system login page isn’t needed, you can use a headless single sign-on (SSO) to your service. Salesforce sends a message to the connector iFrame with the entire contact center configuration as defined in {contactCenterName}.callCenter. Use these details to allow SSO, and notify Salesforce by returning a fulfilled Promise with a value of type InitResult when the Promise is successful or rejected.

To set up single sign-on (SSO), configure your Salesforce org as the SAML identity provider. For help, see:

Here’s a sample contact center configuration sent from Salesforce during connector init:

Contact center  configuration code sample
1init(ssoConfig) {
2  const ssoResult = pbx.performSSO(ssoConfig)
3  if (ssoResult.success) {
4    return Promise.resolve(new InitResult({}));
5  } else {
6    return Promise.reject("Failed to login");
7  }
8}

If SSO is successful, the SSO dialer is enabled to allow the rep to make outbound calls.

Omni phone interface with Phone tab highlighted
If SSO fails, the base connector dispatches a CAN_NOT_LOG_IN error. The rep receives an error message in the Omni-Channel utility or the Salesforce window, and their keypad remains disabled.
Omni phone interface with login error
Service console with login error